Vulnerability Description
The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Nodejs | Node.Js | >= 16.0.0, <= 16.20.1 |
| Fedoraproject | Fedora | 37 |
Related Weaknesses (CWE)
References
- https://hackerone.com/reports/2043807Issue Tracking
- https://lists.fedoraproject.org/archives/list/[email protected]Mailing List
- https://lists.fedoraproject.org/archives/list/[email protected]Mailing List
- https://security.netapp.com/advisory/ntap-20230915-0009/
- https://hackerone.com/reports/2043807Issue Tracking
- https://lists.fedoraproject.org/archives/list/[email protected]Mailing List
- https://lists.fedoraproject.org/archives/list/[email protected]Mailing List
- https://security.netapp.com/advisory/ntap-20230915-0009/
FAQ
What is CVE-2023-32006?
CVE-2023-32006 is a vulnerability with a CVSS score of 8.8 (HIGH). The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users usin...
How severe is CVE-2023-32006?
CVE-2023-32006 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-32006?
Check the references section above for vendor advisories and patch information. Affected products include: Nodejs Node.Js, Fedoraproject Fedora.